Wednesday, January 27, 2010

Was I the only person who saw the headline A view from Microsoft's disaster central and immediately thought that the following article would be about Microsoft's efforts to contain the damage from the explorer weakness that was exploited in the Google hack?

Probably. I guess it's an occupational hazard that comes from being a lawyer who focuses on computer software.

And speaking of software, I wanted to mention that, in my hiatus from Ephemerallaw, I started up a new blog, Developer Diary, which is devoted to my ongoing programming efforts. I also set up a page, By Hand Games where you can download some of the games I've written.

Of course, the above has nothing to do with information security or data privacy. Then again, I'm not exclusively devoted to information security and data privacy, and I see no particular reason why Ephemerallaw should be either.

Sunday, January 24, 2010

Quick answer: I don't know, but it's less likely than it might initially appear.

Earlier this month several sources, including Wired, reported that over 30 large companies, including Google and Adobe, had been victims of a sophisticated hack, which Microsoft admits was made possible by a weakness in Internet Explorer 6. Microsoft also admits that it learned of the flaw in September, and that it was holding back a patch so that it could be released in a cumulative update that was due out next month. Given the above, and the notoriously litigious nature of the American public, it would seem that Microsoft is almost guaranteed to be hit by a lawsuit seeking damages based on the failure to release the patch earlier. Certainly, when I read that Microsoft had learned about the flaw and withheld the patch, my first thought was that this was something that would keep their lawyers busy in court for months (if not years) to come.

However, the more I think about the situation, the less I think Microsoft is guaranteed to go to court. If this had happened 3-4 years ago, I'd expect Microsoft would already have been hit by a class action lawsuit filed on behalf of consumers who used IE6. However, since that time, courts have been pretty uniformly unreceptive to claims that consumers are damaged by increased risks caused by unauthorized access to data by third parties (e.g., here). A consumer wanting to sue Microsoft for vulnerabilities in IE6 would be even less likely to succeed, since (unlike the unsuccessful plaintiffs in the security breach cases) the hypothetical consumer suing Microsoft wouldn't even be able to show that an unauthorized third party had accessed their system, only that they were at an increased risk of such access due to using IE6. Looking at that history, the chances of a consumer class action against Microsoft seem pretty slim.*

So, consumers aren't likely to sue Microsoft, what about the businesses who were victimized because of the flaw? While they'd have an easier time proving damages (after all, it is known that they were hacked, and at least some of what the hackers did), there are also forces which could prevent them from going to court. For one thing, most businesses try and work things out before involving the judiciary. In this case, I assume that Google, Adobe, et al have contacted Microsoft about helping them clean up the damage. Microsoft has a significant interested in trying to make sure those out of court efforts are successful, since a drawn out court battle could only hurt Microsoft's brand in the already competitive browser market. Similarly, the companies that have been hacked would probably like to avoid going to court as well, since any lawsuit would invariably have the effect of calling their own security into question, even if they could convince the public that the reason their systems weren't secure is because they were using unsafe products, rather than that their own internal practices were deficient.

Of course, strong incentives to avoid a court battle don't necessarily mean there won't be one. If the damage caused by the hackers is too expensive, Microsoft might be willing to fight not to pay it, and the injured company might be willing to fight to get paid. At this point it's impossible to say how likely that is to play out. However, I think, given the incentives on all sides to avoid it, the likelihood of a lawsuit against Microsoft on this is much lower than it would initially appear.

*Obviously, the chances aren't zero. If there was going to be a suit against Microsoft, I would expect it in a state which has allowed suits for increased risk of health problems as a result of a chemical spill. The analogy isn't perfect, but it does make it somewhat easier to prove damages.

Contributors

Other Sites

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors.
NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.